Drupal Patching Vulnerability in release of 6.35 & 7.35 version

Drupal is content management system which is used by million of site owners for managing their sites. Hackers have recently found a vulnerability in the Drupal system which is allowing hackers to forge the password reset URL. Now hackers can access other user account information without even knowing their password. This is really a serious issue and security alert for Drupal users.

One of the Drupal senior reported that Drupal 6 and 7 sites are more vulnerable to this attack. Drupal 6 sites with empty password hashes or guessable strings in the MySql Database and more prone to this vulnerability. Another vulnerability is allowing users to construct a URL which will redirect users to a 3rd party site.

Drupal CMS is using a query string which is frequently used for redirecting users to a new destination after completing work at some page. This feature is misused by the hackers to forward users to another 3rd Party URL. Drupal is already installed on more than 1.1 million sites across the world. Drupal 7 is most used with 983,000 install, report published by SecurityWeek.